The General Data Protection Regulation (GDPR) prescribes seven key principles:
1. LAWFULNESS, FAIRNESS, AND TRANSPARENCY
2. PURPOSE LIMITATION
3. DATA MINIMIZATION
5. STORAGE LIMITATION
6. INTEGRITY AND CONFIDENTIALITY
These 7 GDPR principles create a backbone of any compliance program and as a data controller, you are obligated to comply with them as described in Article 5.
We will go over each of the seven principles of the GDPR. However, we also encourage you to explore the links since the topic is very broad and links will hopefully provide more information.
1.Lawfulness, fairness, and transparency principle
When you look at the meaning of the words lawfulness, fairness, and transparency you can get a pretty good idea of how you should conduct personal data processing, as GDPR states:
“Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).” GDPR Article 5(1)(a)
Your processing should be based on the law, within the lines of what you explained to the individual, and you should provide clear notice about processing. However, what precisely does the principle encircle?
In the concept of the GDPR, lawfulness is related to two things; choosing a proper lawful basis for processing personal data and avoiding illegal activities when processing personal data.
Before processing personal data, you should always identify the lawful base or grounds for the processing. There are six different lawful bases for processing personal data:
1. CONSENT – the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. CONTRACT – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. LEGAL OBLIGATION – processing is necessary for compliance with a legal obligation to which the controller is subject;
4. PROTECTION OF VITAL INTERESTS – processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. PUBLIC TASK- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. LEGITIMATE INTEREST – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject
You will have to base your processing on one of those six grounds, picking which one will depend on your relationship with the individual and circumstances of the processing. If you cannot apply any lawful basis on your processing activity, then the processing is unlawful.
Fairness means that you will process personal data only in a way that is reasonably expected from you. You shouldn’t misuse personal data or process them in any way that would create negative effects for an individual.
Collecting, storing, and processing personal data that were collected in a deceiving way, or by misleading the individual, will lead to the breach of the fairness principle.
The transparency principle requires clear, open and honest communication towards individuals about how their personal data is being used. It is important to notify individuals about the information you use about them, whether you obtained that information from them directly, or from another source.
“The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.” Recital 39
The point of transparent processing is enabling individuals to exercise their rights under the GDPR if they wish.
In recent years there is a greater emphasis on transparency, especially from the customer point on view. Many companies have seen this as an opportunity to create a competitive advantage by being open and transparent with individuals.
In recent research, 63% of customers stated most companies aren’t transparent about how their data is used. However, 58% of customers would be comfortable with relevant personal information being used in a transparent and beneficial manner.
2. Purpose limitation principle
Purpose limitation simply means that you need to be clear from the start about the reason why you are collecting and processing personal data and your intention behind it.
“Personal data shall be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.” GDPR Article 5(1)(b)You can only use personal data for the purpose you have collected it in the first place. Any additional processing has to be compatible with your original purpose, or you can always obtain consent from an individual.
If you are trying to define whether your new purpose is compatible with the old one, you can ask yourself:
➡️ Is your new purpose very different from your original purpose?
➡️ Would additional processing have a negative impact on individuals?
➡️ Is a new purpose completely disconnected from the original purpose?
➡️ Is a new purpose unexpected?
If you find yourself answering any of those questions with a yes, you are probably going to need to ask for a new consent.
3. Data minimization principle
Data minimization principle limits the data controller to collect, store, process and use only personal information that is necessary to provide the required service or fulfill a specific purpose.
“Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’).” GDPR Article 5(1)(c)This means you will have to identify what is the minimal amount of data you need to fulfill the purpose of why you even collected personal data in the first place.
Simply put, collect only the minimum data that you need.
For example, if you have a newsletter subscription, it is unnecessary to collect anything other than an e-mail address and possibly first name (if you want to provide a personalized experience for your subscribers).
If you want to make sure you are collecting a minimal amount of data, ask yourself:
➡️Can you achieve the purpose without collecting the data?
➡️Is your data collection limited to information that is strictly necessary for you to provide your service or fulfill a purpose?
4. Accuracy principle
The accuracy principle indicates you are responsible for taking all reasonable measures to ensure that the personal data you hold is correct and accurate.
“Personal data shall be: accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).” GDPR Article 5(1)(d)
The intention behind the accuracy principle is to encourage you to keep only relevant data and update and maintain personal data that you are processing on a regular basis.
Therefore you will have to conduct periodical accuracy checks and implement policies or procedures that will help you update personal data if necessary. The best way to do this is to identify how often you need to update data to fulfill the purpose you wanted to achieve in the first place.
Following this principle can actually help you get rid of all unnecessary, incorrect, and irrelevant data, and help you get a clearer picture of the relevance of personal data you are processing.
Bear in mind that data subjects can exercise their right to rectification that is directly linked to the accuracy principle. The right to rectification grants an individual a right to demand inaccurate personal data to be erased, rectified or altered.
5. Storage limitation principle
The storage limitation principle prevents you from keeping personal data for longer then you need it.
“Personal data shall be: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).” GDPR Article 5(1)(e)For every personal data that you are processing, you will have to be able to justify why you are keeping it. Setting up data retention and data deletion schedules can help you comply with the storage limitation principle.
You can find out more details about how long you should keep personal data in our blog, where we talked about how to define data retention periods, where to begin in the process, what are the benefits of defining a proper data retention periods, what should you do with the data you no longer need, and more…
6. Integrity and confidentiality principle
Integrity and confidentiality principle is often referred to as a security principle and entails the implementation of appropriate technical and organizational measures to ensure you prevented any intentional or unintentional risks, unauthorized third-party access or malicious attacks, and exploitation of data.
“Personal data shall be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’)” GDPR Article 5(1)(f)As you can notice, this principle is tightly connected with information security, but it is not only referred to taking measures against malicious attacks and data breaches, it also includes organizational measures that you can implement to secure personal data.
7. Accountability principle
Last but not least, the accountability principle means you (as a data controller or organization) are responsible for compliance with all of the above-mentioned GDPR principles, and most importantly you are responsible for demonstrating compliance if necessary.
This means you should document every step of your compliance journey, and provide evidence of the steps you have taken so far, and might include:
➡️ Documentation of processing activities
➡️ Implementation of technical and organizational measures
➡️ Implementation of data protection policies
➡️ Data protection impact assessments (if you had to conduct one)
➡️ Appointment of a DPO
If you are documenting all this in different systems, in different ways, for different departments, including various people in the process, or you are documenting processing activities manually, in excel, in the long run, this may cause serious problems. If that is the case you might consider automating the processes.
Why are the 7 principles of GDPR important?
It is very easy to overlook these 7 GDPR principles and focus on more specific parts of the GDPR since principles don’t set strict rules. However, 7 GDPR principles represent the main building blocks and set the tone for the rest of the Regulation.
Principles should be intertwined and implemented in every aspect of your compliance journey. This is why any violation of GDPR principles will set of the highest administrative fines up to €20 million or 4% of your total worldwide annual turnover, whichever is higher.